You can use a Lambda function to update the security group’s rules dynamically whenever AWS publishes new internal service IP ranges for CloudFront.
You do not need to create SSO in different AWS account to restrict or Deny permissions to users for different services especially IAM and SSO itself.
You can use PowerShell to create a key vault and secrets and assign access policy to users, groups or Apps.
If you have already created a stack with out any stack policy then you can apply stack policy to this stack using AWS CLI only. This can’t be done through Console.